Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Test "secure" websites for Heartbleeds vulnerability

Comments

  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    Whitehat or no, I would be interested to know the legal situation of running a tool like this against a site without permission.


  • Closed Accounts Posts: 2,532 ✭✭✭Lou.m




  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Whitehat or no, I would be interested to know the legal situation of running a tool like this against a site without permission.

    Aside from the site's terms and conditions of use, and similar, the customer (of a site that has or might get) one's personal information must expect this type of testing especially from security conscious customers.

    The test I posted a link to, does not run the test on each request. If the test has been run within a certain period in the past, it simply shows the enquirer a copy of the test results.

    There are a lot of poorly configured sites on the internet many running out of date software, who need to be exposed in cases where personal information is involved.


  • Registered Users, Registered Users 2 Posts: 36,462 ✭✭✭✭Hotblack Desiato


    Impetus wrote: »
    The vulnerability does not affect Microsoft servers

    It does if the SSL connection terminates on a firewall or load balancer running a vulnerable version of OpenSSL, and these vendors won't be as quick to make patches available.

    It probably also affects most Linux desktops (clients).

    Most browsers don't use OpenSSL, Firefox doesn't. If you have a port open to the internet for incoming SSL connections then you're running a server and need to know how to secure it anyway. But normal desktop linux users have no need to worry AFAIK. All the major distros had a patch out very quickly so apply that and stop/restart sshd (or reboot) and you're covered anyway.

    In Cavan there was a great fire / Judge McCarthy was sent to inquire / It would be a shame / If the nuns were to blame / So it had to be caused by a wire.



  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    ninja900 wrote: »
    It does if the SSL connection terminates on a firewall or load balancer running a vulnerable version of OpenSSL, and these vendors won't be as quick to make patches available.

    It does not affect Microsoft servers. Period!

    It may affect a system which uses software which relies on OpenSSL. However I would have thought that this would not apply to a pure firewall which I presume just passes packets to the server - even if that firewall was Linux based. The only exception I can think of is a firewall that also has VPN functionality.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,188 ✭✭✭wil




  • Registered Users, Registered Users 2 Posts: 36,462 ✭✭✭✭Hotblack Desiato


    Impetus wrote: »
    It does not affect Microsoft servers. Period!

    It may affect a system which uses software which relies on OpenSSL. However I would have thought that this would not apply to a pure firewall which I presume just passes packets to the server - even if that firewall was Linux based. The only exception I can think of is a firewall that also has VPN functionality.

    It does affect Microsoft servers... Period! if their SSL connection terminates on a device running a vulnerable version of openSSL. The web server isn't vulnerable itself, but that's little consolation to the users once the private key is hacked.

    In Cavan there was a great fire / Judge McCarthy was sent to inquire / It would be a shame / If the nuns were to blame / So it had to be caused by a wire.



  • Registered Users, Registered Users 2 Posts: 203 ✭✭industrialhorse


    Similar to ssllabs.com but gets to the point and made me almost lose my rag with about 20 mins left in work yesterday:(

    https://lastpass.com/heartbleed/


  • Registered Users, Registered Users 2 Posts: 203 ✭✭industrialhorse


    ninja900 wrote: »
    It does affect Microsoft servers... Period! if their SSL connection terminates on a device running a vulnerable version of openSSL. The web server isn't vulnerable itself, but that's little consolation to the users once the private key is hacked.

    http://blogs.msdn.com/b/windowsazure/archive/2014/04/09/information-on-microsoft-azure-and-heartbleed.aspx


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard




  • Advertisement
  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Not just servers.

    There is a helluva lot, a helluva lot! of wireless access points and other devices that are vulnerable and forgotten about - some which may never be patched.


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard




Advertisement